Major OpenPGP/GPG and S/MIME Email Encryption Vulnerability Puts Private Data at Risk

A team of cybersecurity researchers from universities in Germany and Belgium reported about a newly discovered vulnerability in the OpenPGP/GPG and S/MIME email encryption software. The flaw affects the vast majority of email users as it exposes to cyber-attacks the email plugins in the most popular clients, including Apple Mail with GPGTTools, Thunderbird with Enigmail, and Outlook with Gpg4win. In the middle of last month, the team of researchers published an in-depth analysis of the bug, whereby the vulnerability and the potential exploits based on it have been named EFAIL.

A Twitter post appeared as well where the Professor of computer security Sebastian Schinzel from Muenster University of Applied Sciences warned about the potential dangers resulting from this vulnerability, appealing to all users who use the affected encryption methods to disable them immediately and to switch to alternative solutions. Another, more reliable, system for data encryption could be messaging platforms like Signal, for example.

According to the academic whitepaper describing the bug, attacks based on the EFAIL exploits use vulnerabilities in the PGP and S/MIME standards. In short, EFAIL attacks reveal the plain text of encrypted emails through requested URLs by abusing active content of HTML emails, like externally loaded styles or images. In order to conduct the attacks, the hackers create exfiltration channels by getting access to the targeted encrypted data. The attacks can be done by compromising email servers, backup systems, client computers or email accounts, as well as by eavesdropping on network traffic. Potential attackers could exploit the PGP and S/MIME vulnerabilities to get access not only to the plain text of encrypted emails but also to some content sent in the past.

The researchers point out that it could take some time until the affected email encryption standards get updated. For now, in order to protect users, the Electronic Frontier Foundation advises that the tools for automatic decryption of emails encrypted through the PGP standard should be immediately disabled and uninstalled. This is only a temporary measure to prevent possible EFAIL attacks from being executed, and users could recover the old configuration as soon as patches for the known vulnerabilities are released.